Skillv1.0.0

ClawScan security

Voiceover Italiano · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 7:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions largely match its stated purpose (sending videos to a cloud API to add Italian voiceovers); there are small, non-critical inconsistencies (a declared config path and install-path detection) that deserve attention before installing.
Guidance: This skill is coherent with its stated purpose: it uploads video to an external service (mega-api-prod.nemovideo.ai) to produce Italian voiceovers and needs a NEMO_TOKEN to authorize requests. Before installing, consider: 1) Privacy — any video you upload will be sent to the external service; avoid uploading sensitive footage. 2) Credentials — if you supply your own NEMO_TOKEN it grants access to that account; prefer using the anonymous starter token if you want limited exposure. 3) Metadata oddities — the skill declares a config path (~/.config/nemovideo/) and mentions detecting the agent install path for headers; ask the publisher whether the skill will read local config or probe install directories and why. 4) Trust & provenance — the skill has no homepage or known publisher; verify the service and its terms/privacy before sending production content. If you need higher assurance, request the publisher to provide a homepage, privacy policy, and an explanation of why the config path / install-path detection are required.

Review Dimensions

Purpose & Capability: noteThe skill is a cloud-based video voiceover integrator and only requests a single service credential (NEMO_TOKEN), which is proportional. However the metadata declares a config path (~/.config/nemovideo/) and mentions detecting an install path for header attribution; those items are not clearly required to perform the stated task and appear unnecessary.
Instruction Scope: okSKILL.md instructs the agent to obtain/use a NEMO_TOKEN, create a session, upload videos, and poll render status on the provided nemovideo.ai endpoints — all within the described voiceover workflow. It does not instruct reading unrelated system files or scraping unrelated credentials. The only slightly out-of-scope item is the note about detecting install path to populate X-Skill-Platform, which implies probing agent environment but is not further specified.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No downloads or package installs are specified, so there is no install-time execution risk.
Credentials: noteOnly NEMO_TOKEN is required (primaryEnv), which matches the cloud API usage. The declared configPath (~/.config/nemovideo/) is extraneous relative to the described flow and could give the skill access to local service config if the agent were to read it — the SKILL.md doesn't clearly justify needing that path.
Persistence & Privilege: okalways:false and normal model invocation. The skill does not request persistent system-wide privileges or to modify other skills' configs. There is no instruction to persist credentials beyond using NEMO_TOKEN for API calls.